
<!doctype html>
<html lang="en-US">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="x-ua-compatible" content="ie=edge">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<link rel="profile" href="http://gmpg.org/xfn/11">
	<meta name="google-site-verification" content="woFGOBDXdYqOInoJ8yXHyUdw08AF-tC-0jmKv5r24WQ" />

	<!--[if lt IE 9]>
		<script src="https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js"></script>
	<![endif]-->

	<link rel="preconnect" href="//in.hotjar.com" crossorigin>
<link rel="preconnect" href="//jukebox.pathfactory.com" crossorigin>
<link rel="dns-prefetch" href="//okt.to" crossorigin>
<link rel="dns-prefetch" href="//www.facebook.com" crossorigin>
<link rel="dns-prefetch" href="//connect.facebook.net" crossorigin>
<link rel="dns-prefetch" href="//service.force.com" crossorigin>
<link rel="dns-prefetch" href="//d.la3-c1-ph2.salesforceliveagent.com" crossorigin>
<link rel="dns-prefetch" href="//ib.adnxs.com" crossorigin>
<link rel="dns-prefetch" href="//pixel.advertising.com" crossorigin>
<link rel="dns-prefetch" href="//ups.analytics.yahoo.com" crossorigin>
<link rel="dns-prefetch" href="//pixel.rubiconproject.com" crossorigin>
		<!-- connect to domain of font files -->
    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
    <!-- async CSS -->
    <link rel="stylesheet" media="print" onload="this.media='all';" href="https://fonts.googleapis.com/css?family=Lato:300,400,400i,700,900&display=swap" >
    <link rel="stylesheet" media="all" href="https://fonts.googleapis.com/css2?family=Jost:wght@400;500;700&family=Lexend+Deca:wght@400;500;600;700;800&display=swap">

	<!-- no-JS fallback -->
	<noscript>
		<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Lato:300,400,400i,700,900&display=swap">
	</noscript>
	<script>dataLayer = [];</script>
		<script defer>(function (w, d, s, l, i) { w[l] = w[l] || []; w[l].push({'gtm.start': new Date().getTime(), event: 'gtm.js'}); var f = d.getElementsByTagName(s)[0], j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f); })(window, document, 'script', 'dataLayer', 'GTM-KHGG4KL');</script>
	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO plugin v20.3 - https://yoast.com/wordpress/plugins/seo/ -->
	<title>Chaos Malware Quietly Evolves Persistence and Evasion Techniques &ndash; Sysdig</title>
	<meta name="description" content="We will go through the analysis of chaos malware based on our captured attacks with an emphasis on persistence techniques." />
	<link rel="canonical" href="https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="Chaos Malware Quietly Evolves Persistence and Evasion Techniques &ndash; Sysdig" />
	<meta property="og:description" content="We will go through the analysis of chaos malware based on our captured attacks with an emphasis on persistence techniques." />
	<meta property="og:url" content="https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/" />
	<meta property="og:site_name" content="Sysdig" />
	<meta property="article:publisher" content="https://www.facebook.com/Sysdig415/" />
	<meta property="article:published_time" content="2023-03-17T14:00:00+00:00" />
	<meta property="article:modified_time" content="2023-03-17T13:20:46+00:00" />
	<meta property="og:image" content="https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured.png" />
	<meta property="og:image:width" content="1200" />
	<meta property="og:image:height" content="660" />
	<meta property="og:image:type" content="image/png" />
	<meta name="author" content="Nicholas Lang" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:image" content="https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured.png" />
	<meta name="twitter:creator" content="@sysdig" />
	<meta name="twitter:site" content="@sysdig" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Article","@id":"https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/#article","isPartOf":{"@id":"https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/"},"author":{"name":"Nicholas Lang","@id":"https://sysdig.com/#/schema/person/24494b1d6eea9010538adce3a45c0bfe"},"headline":"Chaos Malware Quietly Evolves Persistence and Evasion Techniques","datePublished":"2023-03-17T14:00:00+00:00","dateModified":"2023-03-17T13:20:46+00:00","mainEntityOfPage":{"@id":"https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/"},"wordCount":1836,"publisher":{"@id":"https://sysdig.com/#organization"},"image":{"@id":"https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/#primaryimage"},"thumbnailUrl":"https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured.png","keywords":["Kubernetes","Sysdig Secure"],"articleSection":["Falco","Kubernetes"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/","url":"https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/","name":"Chaos Malware Quietly Evolves Persistence and Evasion Techniques &ndash; Sysdig","isPartOf":{"@id":"https://sysdig.com/#website"},"primaryImageOfPage":{"@id":"https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/#primaryimage"},"image":{"@id":"https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/#primaryimage"},"thumbnailUrl":"https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured.png","datePublished":"2023-03-17T14:00:00+00:00","dateModified":"2023-03-17T13:20:46+00:00","description":"We will go through the analysis of chaos malware based on our captured attacks with an emphasis on persistence techniques.","breadcrumb":{"@id":"https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/#primaryimage","url":"https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured.png","contentUrl":"https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured.png","width":1200,"height":660},{"@type":"BreadcrumbList","@id":"https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://sysdig.com/"},{"@type":"ListItem","position":2,"name":"Chaos Malware Quietly Evolves Persistence and Evasion Techniques"}]},{"@type":"WebSite","@id":"https://sysdig.com/#website","url":"https://sysdig.com/","name":"Sysdig","description":"","publisher":{"@id":"https://sysdig.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://sysdig.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://sysdig.com/#organization","name":"Sysdig","url":"https://sysdig.com/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://sysdig.com/#/schema/logo/image/","url":"https://sysdig.com/wp-content/uploads/sysdig-logo-social-share-2020.png","contentUrl":"https://sysdig.com/wp-content/uploads/sysdig-logo-social-share-2020.png","width":1200,"height":630,"caption":"Sysdig"},"image":{"@id":"https://sysdig.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/Sysdig415/","https://twitter.com/sysdig","https://www.linkedin.com/company/sysdig","https://www.youtube.com/c/sysdig"]},{"@type":"Person","@id":"https://sysdig.com/#/schema/person/24494b1d6eea9010538adce3a45c0bfe","name":"Nicholas Lang","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://sysdig.com/#/schema/person/image/","url":"https://secure.gravatar.com/avatar/bdc74d516d8dfa91b36639410e7f86fc?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/bdc74d516d8dfa91b36639410e7f86fc?s=96&d=mm&r=g","caption":"Nicholas Lang"},"url":"https://sysdig.com/blog/author/nicholas-lang/"}]}</script>
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//www.google.com' />
<link rel="alternate" type="application/rss+xml" title="Sysdig &raquo; Feed" href="https://sysdig.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="Sysdig &raquo; Comments Feed" href="https://sysdig.com/comments/feed/" />
<link rel='stylesheet' id='safe-svg-block-frontend-css' href='https://sysdig.com/wp-content/plugins/safe-svg//dist/safe-svg-block-frontend.css?ver=2.1.0' type='text/css' media='all' />
<link rel='stylesheet' id='classic-theme-styles-css' href='https://sysdig.com/wp-includes/css/classic-themes.min.css?ver=1' type='text/css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;}:where(.is-layout-flex){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
.wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;}
:where(.wp-block-columns.is-layout-flex){gap: 2em;}
.wp-block-pullquote{font-size: 1.5em;line-height: 1.6;}
</style>
<link rel='stylesheet' id='v4-sysdig-main-css' href='https://sysdig.com/wp-content/themes/sysdig/public/styles/main-v4.css?ver=1680800383' type='text/css' media='screen' />
<script type='text/javascript' src='https://sysdig.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.1' id='jquery-core-js'></script>
<script type='text/javascript' src='https://sysdig.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<script type='text/javascript' src='https://go.sysdig.com/js/forms2/js/forms2.min.js?ver=20200729-2010' id='forms2-js'></script>
<link rel="https://api.w.org/" href="https://sysdig.com/wp-json/" /><link rel="alternate" type="application/json" href="https://sysdig.com/wp-json/wp/v2/posts/68410" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://sysdig.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://sysdig.com/wp-includes/wlwmanifest.xml" />
<link rel='shortlink' href='https://sysdig.com/?p=68410' />
<link rel="alternate" type="application/json+oembed" href="https://sysdig.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsysdig.com%2Fblog%2Fchaos-malware-persistence-evasion-techniques%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://sysdig.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsysdig.com%2Fblog%2Fchaos-malware-persistence-evasion-techniques%2F&#038;format=xml" />
<!-- Stream WordPress user activity plugin v3.9.2 -->
<meta name="author" content="Nicholas Lang" /><meta itemprop="datePublished" content="2023-03-17" /><link rel="icon" href="https://sysdig.com/wp-content/uploads/2019/10/cropped-sysdig_favicon-1-32x32.png" sizes="32x32" />
<link rel="icon" href="https://sysdig.com/wp-content/uploads/2019/10/cropped-sysdig_favicon-1-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://sysdig.com/wp-content/uploads/2019/10/cropped-sysdig_favicon-1-180x180.png" />
<meta name="msapplication-TileImage" content="https://sysdig.com/wp-content/uploads/2019/10/cropped-sysdig_favicon-1-270x270.png" />
		<style type="text/css" id="wp-custom-css">
			h1 .u-text-underline.u-underline-teal,
h2 .u-text-underline.u-underline-teal{
	text-decoration: none;
}


.col-12.col-lg-8.offset-lg-2 code:not(.hljs){
background-color: rgba(150,255,255,.3);
  padding: 2px 5px;
  font-size: 0.8em;
  border: rgba(150,255,255,0.3) solid 0.5px;
  border-radius: 5px;
}
		</style>
		<noscript><style id="rocket-lazyload-nojs-css">.rll-youtube-player, [data-lazy-src]{display:none !important;}</style></noscript></head>

<body class="post-template-default single single-post postid-68410 single-format-standard wp-custom-logo announcement-bar">
	<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-dark-grayscale"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 0.498039215686" /><feFuncG type="table" tableValues="0 0.498039215686" /><feFuncB type="table" tableValues="0 0.498039215686" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-grayscale"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 1" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0 1" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-purple-yellow"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.549019607843 0.988235294118" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0.717647058824 0.254901960784" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-blue-red"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 1" /><feFuncG type="table" tableValues="0 0.278431372549" /><feFuncB type="table" tableValues="0.592156862745 0.278431372549" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-midnight"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 0" /><feFuncG type="table" tableValues="0 0.647058823529" /><feFuncB type="table" tableValues="0 1" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-magenta-yellow"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.780392156863 1" /><feFuncG type="table" tableValues="0 0.949019607843" /><feFuncB type="table" tableValues="0.352941176471 0.470588235294" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-purple-green"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.650980392157 0.403921568627" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0.447058823529 0.4" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-blue-orange"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.0980392156863 1" /><feFuncG type="table" tableValues="0 0.662745098039" /><feFuncB type="table" tableValues="0.847058823529 0.419607843137" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg>	
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KHGG4KL" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
	
<div id="page" class="site">

	<div id="main-navigation" class="c-site-nav-wrap fixed-top bg-white">
	
	
<div id="announcement-bar" class="b-v4-block-container-banner" data-banner-container>
    <div class="o-container container">
        <div class="flex flex-row flex-wrap items-center justify-center position-relative pr-8 sm:pr-0 gap-4" style="min-height: 22px">

			
					<a class="js-announcement link-parent absolute flex gap-4 items-center transition-opacity duration-500 ease-in "
					   href="/customers/" target="http://_blank">
					    							<img class="h-5 w-auto" src="https://sysdig.com/wp-content/uploads/logo-g2-wh.svg" alt="http://G2">
												<p class="">&quot;Absolutely the best in runtime security!&quot;</p>
						<div class="text-link"><span></span></div>
					</a>
					
				
					<a class="js-announcement link-parent absolute flex gap-4 items-center transition-opacity duration-500 ease-in hidden"
					   href="/customers/" target="">
					    							<img class="h-5 w-auto" src="https://sysdig.com/wp-content/uploads/logo-g2-wh.svg" alt="http://G2">
												<p class="">&quot;Runtime protection leader!&quot;</p>
						<div class="text-link"><span></span></div>
					</a>
					
				
					<a class="js-announcement link-parent absolute flex gap-4 items-center transition-opacity duration-500 ease-in hidden"
					   href="/customers/" target="">
					    							<img class="h-5 w-auto" src="https://sysdig.com/wp-content/uploads/logo-g2-wh.svg" alt="http://G2">
												<p class="">&quot;Sysdig Secure is drop-dead simple to use.&quot;</p>
						<div class="text-link"><span></span></div>
					</a>
					
				
					<a class="js-announcement link-parent absolute flex gap-4 items-center transition-opacity duration-500 ease-in hidden"
					   href="/customers/" target="">
					    							<img class="h-5 w-auto" src="https://sysdig.com/wp-content/uploads/logo-g2-wh.svg" alt="http://G2">
												<p class="">&quot;Sysdig Secure is the engine driving our security posture.&quot;</p>
						<div class="text-link"><span></span></div>
					</a>
					
				
					<a class="js-announcement link-parent absolute flex gap-4 items-center transition-opacity duration-500 ease-in hidden"
					   href="/customers/" target="">
					    							<img class="h-5 w-auto" src="https://sysdig.com/wp-content/uploads/logo-g2-wh.svg" alt="http://G2">
												<p class="">&quot;Especially strong runtime protection capability!&quot;</p>
						<div class="text-link"><span></span></div>
					</a>
					
				
            <div class="b-v4-block-container-banner-x" data-banner-x></div>
        </div>
    </div>
</div>

<script>
	// Rotate through announcements
	(() => {
		const announcements = document.getElementsByClassName('js-announcement'),
		      length = announcements.length,
			  intervalLength = 4000
		var count = 1
		// Only rotate if more than one
		if ( length > 1 ) setInterval(switchAnnouncements, intervalLength)

		function switchAnnouncements() {
			for (let i = 0; i < announcements.length; i++) {
				// If the next slide prepare to show
				if ( i === count ) {
					announcements[i].classList.remove('hidden')
					announcements[i].classList.add('opacity-0')
				// Otherwise prepare to hide
				} else {
					announcements[i].classList.add('opacity-0')
				}
			}
			// Delay to allow fade transition before setting to display: none
			setTimeout(() => {
			for (let i = 0; i < announcements.length; i++) {
				// If the next slide show
				if ( i === count ) {
					announcements[i].classList.remove('opacity-0')
				// Otherwise hide
				} else {
					announcements[i].classList.add('hidden')
					announcements[i].classList.remove('opacity-0')
				}
			}

			// If reached the end reset to first slide
			if (count === (length - 1 )) {
				count = 0
			// Otherwise move to the next slide
			} else {
				count++
			}

			}, '500')
		 }
	})();
</script>

<script>
	// Hide banner persitently if close button clicked, store setting in cookie
	(() => {
		const announcementBar = document.cookie.split("; ").find((row) => row.startsWith("announcement_closed="))?.split("=")[1];
		const announcementBarElement = document.getElementById('announcement-bar');
		if (announcementBar === 'true') {
			announcementBarElement.style.display = 'none';
			document.querySelector('#page').style = '--banner-height: 0px';
		} else {
			const site = document.querySelector('#page');
			site.style = `--banner-height: ${announcementBarElement.offsetHeight}px`;
		}
	})();
</script>

    <div class="o-container container">
        <nav class="navbar navbar-expand-lg">

            <a class="navbar-brand mr-6 xl:mr-12" href="https://sysdig.com/" rel="home">
                <img src="https://sysdig.com/wp-content/uploads/2019/10/sysdig-logo.svg" alt="Sysdig" width="180" height="65" class="mb-0 " loading="eager">            </a>

            
                <button class="navbar-toggler" type="button" aria-expanded="false" aria-label="Toggle navigation">
                    <svg width="41" height="41" viewBox="0 0 41 41" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <circle cx="20.5" cy="20.5" r="19.75" stroke="#023A83" stroke-width="1.5"/>
                        <line class="line-1" x1="7.98535" y1="12.9167" x2="32.2108" y2="12.9167" stroke="#00ABC7"
                              stroke-width="1.5" stroke-linecap="round"/>
                        <line class="line-2" x1="7.98535" y1="20.152" x2="32.2108" y2="20.152" stroke="#00ABC7"
                              stroke-width="1.5" stroke-linecap="round"/>
                        <line class="line-3" x1="7.98535" y1="27.3873" x2="32.2108" y2="27.3873" stroke="#00ABC7"
                              stroke-width="1.5" stroke-linecap="round"/>
                    </svg>
                </button>

                <div class="collapse navbar-collapse" id="navbarNavDropdown">
                    <ul id="menu-main-navigation" class="navbar-nav items-start lg:items-center"><li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55197" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item dropdown"><a id="menu-item-dropdown-55197" class="nav-link flex items-center dropdown-toggle" role="button" data-toggle="dropdown" aria-expanded="false">Products<span></span></a>
<ul class="dropdown-menu flex-col lg:flex-row flex-nowrap px-5 pt-2 pb-6 lg:px-7 lg:pt-12 lg:pb-8" aria-labelledby="menu-item-dropdown-55197" role="menu">
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="mobile-back d-flex d-lg-none pb-4"><a href="#" class="d-flex items-center">Back to main menu</a></li>	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55209" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4"><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Security<span></span></span></div>
	<ul aria-labelledby="menu-item-55209" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55205" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/products/secure/" id="menu-item-dropdown-55205"><div class="position-relative inline">Sysdig Secure<span class="gradient-border"></span></div><div class="nav-description pt-1">Container, Kubernetes and Cloud Security</div></a></li>
	</ul>
</li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55211" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4"><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Observability<span></span></span></div>
	<ul aria-labelledby="menu-item-dropdown-55205" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55210" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/products/monitor/" id="menu-item-dropdown-55210"><div class="position-relative inline">Sysdig Monitor<span class="gradient-border"></span></div><div class="nav-description pt-1">Kubernetes and Prometheus Monitoring</div></a></li>
	</ul>
</li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-59719" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4  border_left   no-header "><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Platform &#8211; 3rd Column Header &#8211; Hidden<span></span></span></div>
	<ul aria-labelledby="menu-item-dropdown-55210" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-69706" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://sysdig.com/blog/cnapp-runtime-insights-shift-left-shield-right/" id="menu-item-dropdown-69706"><div class="position-relative inline">Why CNAPP?<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56809" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/integrations/" id="menu-item-dropdown-56809"><div class="position-relative inline">Integrations<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56747" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/pricing/" id="menu-item-dropdown-56747"><div class="position-relative inline">Pricing<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
</ul>
</li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55198" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item dropdown"><a id="menu-item-dropdown-55198" class="nav-link flex items-center dropdown-toggle" role="button" data-toggle="dropdown" aria-expanded="false">Solutions<span></span></a>
<ul class="dropdown-menu flex-col lg:flex-row flex-nowrap px-5 pt-2 pb-6 lg:px-7 lg:pt-12 lg:pb-8" aria-labelledby="menu-item-dropdown-55198" role="menu">
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="mobile-back d-flex d-lg-none pb-4"><a href="#" class="d-flex items-center">Back to main menu</a></li>	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55214" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4"><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Security<span></span></span></div>
	<ul aria-labelledby="menu-item-55214" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55647" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/use-cases/container-and-kubernetes-security/" id="menu-item-dropdown-55647"><div class="position-relative inline">Container &#038; Cloud Security<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56777" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/use-cases/vulnerability-management/" id="menu-item-dropdown-56777"><div class="position-relative inline">Vulnerability Management<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56780" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/use-cases/cloud-threat-detection-and-response/" id="menu-item-dropdown-56780"><div class="position-relative inline">Cloud Detection &#038; Response<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56778" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/use-cases/cspm/" id="menu-item-dropdown-56778"><div class="position-relative inline">Configuration Management<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-62623" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/use-cases/cspm/permissions-entitlement-management/" id="menu-item-dropdown-62623"><div class="position-relative inline">Permissions Management / Least Privilege<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55227" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4"><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Observability<span></span></span></div>
	<ul aria-labelledby="menu-item-dropdown-62623" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56789" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/use-cases/kubernetes-monitoring/" id="menu-item-dropdown-56789"><div class="position-relative inline">Kubernetes Monitoring<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56787" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/use-cases/prometheus-monitoring/" id="menu-item-dropdown-56787"><div class="position-relative inline">Prometheus Monitoring<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56792" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/use-cases/custom-metrics/" id="menu-item-dropdown-56792"><div class="position-relative inline">Custom Metrics<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56788" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/use-cases/cloud-monitoring/" id="menu-item-dropdown-56788"><div class="position-relative inline">Cloud Monitoring<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56793" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/use-cases/cost-optimization/" id="menu-item-dropdown-56793"><div class="position-relative inline">Cost Optimization<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55228" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4"><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Environments<span></span></span></div>
	<ul aria-labelledby="menu-item-dropdown-56793" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57499" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/ecosystem/kubernetes-containers/" id="menu-item-dropdown-57499"><div class="position-relative inline">Kubernetes &#038; Containers<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57520" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/ecosystem/vms-hosts/" id="menu-item-dropdown-57520"><div class="position-relative inline">VMs &#038; Hosts<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57552" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/ecosystem/serverless/" id="menu-item-dropdown-57552"><div class="position-relative inline">Serverless<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57450" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/ecosystem/aws/" id="menu-item-dropdown-57450"><div class="position-relative inline">Amazon Web Services<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57573" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/ecosystem/google-cloud/" id="menu-item-dropdown-57573"><div class="position-relative inline">Google Cloud<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57582" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/ecosystem/microsoft-azure/" id="menu-item-dropdown-57582"><div class="position-relative inline">Microsoft Azure<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57606" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/ecosystem/ibm/" id="menu-item-dropdown-57606"><div class="position-relative inline">IBM Cloud<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-58592" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://sysdig.com/ecosystem/" id="menu-item-dropdown-58592"><div class="position-relative inline">View All<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
</ul>
</li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55199" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item dropdown"><a id="menu-item-dropdown-55199" class="nav-link flex items-center dropdown-toggle" role="button" data-toggle="dropdown" aria-expanded="false">Open Source<span></span></a>
<ul class="dropdown-menu flex-col lg:flex-row flex-nowrap px-5 pt-2 pb-6 lg:px-7 lg:pt-12 lg:pb-8" aria-labelledby="menu-item-dropdown-55199" role="menu">
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="mobile-back d-flex d-lg-none pb-4"><a href="#" class="d-flex items-center">Back to main menu</a></li>	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55240" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4  no-header "><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Open Source &#8211; 1st Column Header &#8211; HIdden<span></span></span></div>
	<ul aria-labelledby="menu-item-55240" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56489" class="menu-item menu-item-type-post_type menu-item-object-page nav-item pb-4"><a class="nav-link depth-2" href="https://sysdig.com/opensource/" id="menu-item-dropdown-56489"><div class="position-relative inline">Sysdig and Open Source<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55242" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4"><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Projects<span></span></span></div>
	<ul aria-labelledby="menu-item-dropdown-56489" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-56796" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/opensource/falco/" id="menu-item-dropdown-56796"><div class="position-relative inline">Falco<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57640" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/opensource/open-policy-agent/" id="menu-item-dropdown-57640"><div class="position-relative inline">Open Policy Agent<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57641" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/opensource/sysdig-open-source/" id="menu-item-dropdown-57641"><div class="position-relative inline">Sysdig Open Source<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57642" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/opensource/prometheus/" id="menu-item-dropdown-57642"><div class="position-relative inline">Prometheus<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
</ul>
</li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55200" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a id="menu-item-dropdown-55200" class="nav-link flex items-center " href="/customers/">Customers<span></span></a></li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55201" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item dropdown"><a id="menu-item-dropdown-55201" class="nav-link flex items-center dropdown-toggle" role="button" data-toggle="dropdown" aria-expanded="false">Resources<span></span></a>
<ul class="dropdown-menu flex-col lg:flex-row flex-nowrap px-5 pt-2 pb-6 lg:px-7 lg:pt-12 lg:pb-8" aria-labelledby="menu-item-dropdown-55201" role="menu">
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="mobile-back d-flex d-lg-none pb-4"><a href="#" class="d-flex items-center">Back to main menu</a></li>	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55247" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4  no-header "><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Resources &#8211; 1st Column Header &#8211; Hidden<span></span></span></div>
	<ul aria-labelledby="menu-item-55247" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55248" class="menu-item menu-item-type-post_type menu-item-object-page nav-item pb-4"><a class="nav-link depth-2" href="https://sysdig.com/blog/" id="menu-item-dropdown-55248"><div class="position-relative inline">Blog<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55249" class="menu-item menu-item-type-post_type menu-item-object-page nav-item pb-4"><a class="nav-link depth-2" href="https://sysdig.com/threat-research/" id="menu-item-dropdown-55249"><div class="position-relative inline">Threat Research<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55250" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4"><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Education<span></span></span></div>
	<ul aria-labelledby="menu-item-dropdown-55249" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55251" class="menu-item menu-item-type-post_type menu-item-object-page nav-item pb-4"><a class="nav-link depth-2" href="https://sysdig.com/content-library/" id="menu-item-dropdown-55251"><div class="position-relative inline">Content Library<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-63696" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/content-library/webinars/" id="menu-item-dropdown-63696"><div class="position-relative inline">Events &#038; Webinars<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55253" class="menu-item menu-item-type-post_type menu-item-object-page nav-item pb-4"><a class="nav-link depth-2" href="https://sysdig.com/learn-cloud-native/" id="menu-item-dropdown-55253"><div class="position-relative inline">Learn Cloud Native<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57650" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://learn.sysdig.com/" id="menu-item-dropdown-57650" target="_blank"><div class="position-relative inline">Training Portal<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55255" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4"><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Topics<span></span></span></div>
	<ul aria-labelledby="menu-item-dropdown-57650" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57644" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/topic/kubernetes-container-security/" id="menu-item-dropdown-57644"><div class="position-relative inline">Container Security<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57643" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/topic/cloud-security/" id="menu-item-dropdown-57643"><div class="position-relative inline">Cloud Security<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57646" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/topic/monitoring/" id="menu-item-dropdown-57646"><div class="position-relative inline">Monitoring<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57645" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/topic/compliance/" id="menu-item-dropdown-57645"><div class="position-relative inline">Compliance<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55260" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4"><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Support<span></span></span></div>
	<ul aria-labelledby="menu-item-dropdown-57645" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55261" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/support/" id="menu-item-dropdown-55261"><div class="position-relative inline">Support<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57651" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://kb.sysdig.com/" id="menu-item-dropdown-57651" target="_blank"><div class="position-relative inline">Knowledgebase<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57652" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://docs.sysdig.com/" id="menu-item-dropdown-57652" target="_blank"><div class="position-relative inline">Documentation<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57653" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://sysdig.force.com/support/s/web-to-case/" id="menu-item-dropdown-57653" target="_blank"><div class="position-relative inline">Submit a Ticket<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57654" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="/company/sysdig-status/" id="menu-item-dropdown-57654"><div class="position-relative inline">Sysdig Status<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
</ul>
</li>
</ul><ul id="menu-main-navigation-side" class="navbar-nav items-start lg:items-center"><li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55171" class="menu-item menu-item-type-custom menu-item-object-custom nav-item dropdown is_search ml-auto"><a id="menu-item-dropdown-55171" class="nav-link flex items-center dropdown-toggle border_right " role="button" data-toggle="dropdown" aria-expanded="false"><img src="https://sysdig.com/wp-content/themes/sysdig/assets/images/search.svg" /> <div class="d-flex d-lg-none ml-1">Search</div><span></span></a><ul class="dropdown-menu c-v4-dropdown-search flex-row flex-wrap items-start px-5 pt-2 pb-6 lg:p-12" aria-labelledby="menu-item-dropdown-49968" role="menu"">
        <li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="mobile-back d-flex d-lg-none pb-4"><a href="#" class="d-flex items-center">Back to main menu</a></li>
        <li class="c-v4-dropdown-search--wrapper mt-4 lg:mt-0 p-0">

<form role="search" method="get" class="c-search-form" action="https://sysdig.com/">
	<label class="c-search-form__label ">
		<span class="before"></span>
		<span class="screen-reader-text">Search for:</span>
		<input type="text" class="c-search-form__field" placeholder="Search" value="" name="s" />
		<span class="after"></span>
	</label>
	<button type="submit" class="c-search-form__button button bg-yellow" ><span>Search</span></button>
</form></li>
        <li class="c-v4-dropdown-search--results pt-4 px-0 lg:pt-8 lg:px-12">
          <div class="c-v4-dropdown-search--results-header u-text-xs pb-5">Best Match</div>
          <div class="c-v4-dropdown-search--results-body pb-5"></div><a class="text-link search-link" href="#" target="">View all search results<span></span></a>
        </li>
      </ul></li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55172" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item dropdown"><a id="menu-item-dropdown-55172" class="nav-link flex items-center dropdown-toggle border_right " role="button" data-toggle="dropdown" aria-expanded="false">Log In<span></span></a>
<ul class="dropdown-menu flex-col lg:flex-row flex-nowrap px-5 pt-2 pb-6 lg:px-7 lg:pt-12 lg:pb-8" aria-labelledby="menu-item-dropdown-55172" role="menu">
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="mobile-back d-flex d-lg-none pb-4"><a href="#" class="d-flex items-center">Back to main menu</a></li>	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55173" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4"><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Monitor<span></span></span></div>
	<ul aria-labelledby="menu-item-55173" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57656" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://app.sysdigcloud.com/#/login" id="menu-item-dropdown-57656" target="_blank"><div class="position-relative inline">US-East<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57657" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://us2.app.sysdig.com/#/login" id="menu-item-dropdown-57657"><div class="position-relative inline">US-West<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57658" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://eu1.app.sysdig.com/#/login" id="menu-item-dropdown-57658"><div class="position-relative inline">EU-Central<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57659" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://app.au1.sysdig.com/#/login" id="menu-item-dropdown-57659"><div class="position-relative inline">AWS-AP-Sydney<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57660" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://app.us4.sysdig.com/#/login" id="menu-item-dropdown-57660"><div class="position-relative inline">GCP-US-West<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55179" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4"><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Secure<span></span></span></div>
	<ul aria-labelledby="menu-item-dropdown-57660" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57661" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://secure.sysdig.com/#/login" id="menu-item-dropdown-57661" target="_blank"><div class="position-relative inline">US-East<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57662" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://us2.app.sysdig.com/secure/#/login" id="menu-item-dropdown-57662" target="_blank"><div class="position-relative inline">US-West<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57663" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://eu1.app.sysdig.com/secure/#/login" id="menu-item-dropdown-57663" target="_blank"><div class="position-relative inline">EU-Central<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57664" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://app.au1.sysdig.com/secure/#/login" id="menu-item-dropdown-57664" target="_blank"><div class="position-relative inline">AWS-AP-Sydney<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57665" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://app.us4.sysdig.com/secure/#/login" id="menu-item-dropdown-57665" target="_blank"><div class="position-relative inline">GCP-US-West<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55185" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4  no-header "><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Log In &#8211; 3rd Column Header &#8211; HIdden<span></span></span></div>
	<ul aria-labelledby="menu-item-dropdown-57665" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-57666" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://cx.sysdig.com/" id="menu-item-dropdown-57666" target="_blank"><div class="position-relative inline">Support<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
</ul>
</li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55187" class="is-language-dropdown menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item dropdown"><a id="menu-item-dropdown-55187" class="nav-link flex items-center dropdown-toggle" role="button" data-toggle="dropdown" aria-expanded="false"><img src="https://sysdig.com/wp-content/themes/sysdig/assets/images/globe.svg" /> <div class="d-flex d-lg-none ml-1">Languages</div><span></span></a>
<ul class="dropdown-menu flex-col lg:flex-row flex-nowrap px-5 pt-2 pb-6 lg:px-7 lg:pt-12 lg:pb-8" aria-labelledby="menu-item-dropdown-55187" role="menu">
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="mobile-back d-flex d-lg-none pb-4"><a href="#" class="d-flex items-center">Back to main menu</a></li>	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55188" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item pb-0 lg:pb-4  no-header "><div class="nav-column-header flex items-center md:flex-wrap md:items-start pb-5" aria-expanded="false"><span>Language Header &#8211; Hidden<span></span></span></div>
	<ul aria-labelledby="menu-item-55188" role="menu">
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55194" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://de.sysdig.com/" id="menu-item-dropdown-55194"><div class="position-relative inline">Deutsch<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55189" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home nav-item pb-4"><a class="nav-link depth-2" href="https://sysdig.com/" id="menu-item-dropdown-55189"><div class="position-relative inline">English<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55192" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://sysdig.es/" id="menu-item-dropdown-55192"><div class="position-relative inline">Español<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55190" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://fr.sysdig.com/" id="menu-item-dropdown-55190"><div class="position-relative inline">Français<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55191" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://it.sysdig.com/" id="menu-item-dropdown-55191"><div class="position-relative inline">Italiano<span class="gradient-border"></span></div></a></li>
		<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55193" class="menu-item menu-item-type-custom menu-item-object-custom nav-item pb-4"><a class="nav-link depth-2" href="https://sysdig.jp/" id="menu-item-dropdown-55193"><div class="position-relative inline">日本<span class="gradient-border"></span></div></a></li>
	</ul>
</li>
</ul>
</li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55195" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a id="menu-item-dropdown-55195" class="nav-link flex items-center  button   bg-yellow " href="/start-free/" target="_blank">Start Free<span></span></a></li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" id="menu-item-55196" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a id="menu-item-dropdown-55196" class="nav-link flex items-center  text-link " href="/request-a-demo/" target="_blank">Get Demo<span></span><span></span></a></li>
</ul>                </div>

                    </nav>
    </div>
</div>

	<div id="content" class="site-content"><div id="primary" class="content-area"><main id="main" class="site-main">
			

<div class="c-v4-m1-hero o-section pb-12 md:pb-24
    ">

  <div class="o-container container">
    <div class="row">

            <div class="c-v4-m1-hero--main col-12 col-md-6 pb-8 md:pb-0">
        

        <h1>Chaos Malware Quietly Evolves Persistence and Evasion Techniques</h1>

        
                  <div class="b-v4-block-container-author">
                        By <a href="https://sysdig.com/blog/author/nicholas-lang/">Nicholas Lang</a> - MARCH 17, 2023          </div>
        
        
         

    <div class="flex items-center mb-6">
        <p class="font-medium text-sm mb-0 mr-0.5">SHARE:</p>

                    <a class="ml-2.5" style="max-width: 35px; max-height:35px;"
               href="https://www.facebook.com/sharer/sharer.php?u=https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/" target="_blank">
                <img width="72" height="72" src="https://sysdig.com/wp-content/uploads/facebook-3-logo-1-1.png" class="w-full h-full" alt="" decoding="async" />            </a>
                    <a class="ml-2.5" style="max-width: 35px; max-height:35px;"
               href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/" target="_blank">
                <img width="72" height="72" src="https://sysdig.com/wp-content/uploads/Vector-1-2.png" class="w-full h-full" alt="" decoding="async" />            </a>
                    <a class="ml-2.5" style="max-width: 35px; max-height:35px;"
               href="https://twitter.com/intent/tweet?url=https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/&amp;text=" target="_blank">
                <img width="72" height="72" src="https://sysdig.com/wp-content/uploads/twitter-3-logo-2.png" class="w-full h-full" alt="" decoding="async" />            </a>
         

        
    </div><!-- b-v4-block-container-social-share -->

              </div>

      <div class="c-v4-m1-hero--lottie col-12 col-md-6 d-flex">
        <div class="lottie-wrapper ready" style="height: calc(100% + 150px);">

                          <img src="https://sysdig.com/wp-content/themes/sysdig/assets/images/v4/blog-post-background-image-1.jpg">

                    </div>
        <div class="d-flex justify-center align-items-center w-100"> 
          <div class="b-v4-block-container-img md:mt-12"> 
            <img width="1200" height="660" src="https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured.png" class="attachment-full size-full" alt="" decoding="async" srcset="https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured.png 1200w, https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured-350x193.png 350w, https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured-1170x644.png 1170w, https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured-768x422.png 768w, https://sysdig.com/wp-content/uploads/BlogImages-ChaosMalware-featured-175x96.png 175w, / 1w" sizes="(max-width: 1200px) 100vw, 1200px" />          </div>
        </div>
      </div>

    </div>
  </div>
</div>


<div class="o-container container b-v4-block-container pb-12 md:pb-24">

  <div class="row justify-content-between">

          <style>
        /* Use calculated var from announement bar script to calc top offset */
        .c-nav-links {
          top: calc(100px + var(--banner-height))
        }
        .admin-bar .c-nav-links {
          top: calc( 32px + 100px + var(--banner-height));
        }
        /* Set transition when pinned */
        .b-v4-block-container-anchors {
          transition: padding 250ms ease-out;
        }
        .b-v4-block-container-anchors.is-pinned {
          border-top-color: white;
          padding-top: 15px;
          padding-bottom: 15px;
        }
      </style>

      <div id="nav-links-desktop" class="c-nav-links col-12 flex flex-wrap b-v4-block-container-anchors mb-2 mt-0 sticky bg-white z-10 c-toc__wrapper">
        <p>content:</p>
				          <a href="#tech" class="b-v4-block-container-anchors-links">Technical analysis</a>
				          <a href="#binary" class="b-v4-block-container-anchors-links">Binary analysis</a>
				          <a href="#conclusion" class="b-v4-block-container-anchors-links">Conclusion</a>
				
      </div>

      <div class="b-v4-block-container-anchors--mobile">
        <div class="b-v4-block-container-anchors--mobile-holder" data-more-mobile-dropdown>
          <p class="b-v4-block-container-anchors--mobile-title">Content</p>
          <div class="b-v4-block-container-anchors--mobile-image" data-more-mobile-dropdown></div>
        </div>

				          <div class="b-v4-block-container-anchors--mobile-link" data-more-mobile-dropdown>
            <a class="text-link " href="#tech" target="">Technical analysis<span></span></a>          </div>
				          <div class="b-v4-block-container-anchors--mobile-link" data-more-mobile-dropdown>
            <a class="text-link " href="#binary" target="">Binary analysis<span></span></a>          </div>
				          <div class="b-v4-block-container-anchors--mobile-link" data-more-mobile-dropdown>
            <a class="text-link " href="#conclusion" target="">Conclusion<span></span></a>          </div>
				
      </div>

            <script>
        // Watch for when nav becomes sticky and add '.is-pinned' class to trigger style transitions
        (() => {
          // Disable for now by placing "-no" suffix. Isssue with bouncing TOC when hitting bottom of browser
          const el = document.querySelector("#nav-links-desktop-no")
          // Create negative offset based on rendered nav height + adminbar height + 1px trigger 
          var nav_offset = '-' + (document.querySelector("#main-navigation").clientHeight + 0 + 1).toString() + 'px'
          const observer = new IntersectionObserver( 
            ([e]) => e.target.classList.toggle("is-pinned", e.intersectionRatio < 1),
            { rootMargin: nav_offset + ' 0px 0px 0px', threshold: [1] }
          );

          observer.observe(el);
        })();
      </script>
    

    
      <div class="col-12 col-lg-8 offset-lg-2">

        <p></p>
        <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>The name Chaos is being used for a ransomware strain, a remote access trojan (RAT), and now a DDoS malware variant too. Talk about chaos! In this case, Sysdig&rsquo;s Threat Research Team captured attacks using the Chaos variant of the Kaiji botnet malware. There is very little reported information on this malware since September 2022, perhaps because of the unfortunately chaotic naming, or simply because it is relatively new. Kaiji malware was of Chinese origin in 2020 and is written in Golang. Similarly, Chaos is a Chinese Golang malware developed for both Windows and Linux operating systems, and other multiple hardware architectures too.</p>



<p><span style="text-size: smaller; font-style: italic; border: 1px solid #FF9E1B; display: block; border-radius: 25px; padding: 25px; max-width: 96%; margin: 2em auto;"><em>What makes Chaos interesting is that it puts a lot of effort into persisting on its target, while also implementing defense evasion tactics which are not commonly seen in Linux malware.</em><span style='font-size: revert; color: initial; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;'></span></span></p>



<p>Chaos made a lot of noise in our <a href="https://sysdig.com/blog/how-to-honeypot-vcluster-falco/" target="_blank" rel="noreferrer noopener">honeypot</a> in mid-January when we directly observed this malware attacking a misconfigured Apache Tomcat environment. We saw it again at the end of February with some evolutions. Previous iterations of this malware were sourced from a publicly available malware repository and <a href="https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/">analyzed</a> by Lumen&rsquo;s Black Lotus Labs. </p>



<p>We will go through the analysis of our captured attacks with an emphasis on persistence techniques in this blog, and share our Indicators of Compromise (IOCs) at the end.</p>



<h2>Kaiji malware</h2>



<p>As far as behavioral attributes, we concur with previous reporting that this Chaos malware is an evolution of the Kaiji botnet, with much of the same previously reported functionality. To summarize, Kaiji was a DDoS botnet that mainly attacked IoT devices via SSH brute-forcing, hence the source language being Go and easy cross-compilation to common IoT architectures like PowerPC and SPARC. The Chaos variant we captured shows all of the same DDoS functionality as the previously reported-on version, and rather than build a Chaos emulator, we identified that the code supporting this functionality was still present in this new version.</p>



<h2 id="tech">Technical analysis</h2>



<p>After being installed via the exploitation of a misconfigured Apache Tomcat environment, Chaos malware pivoted to install ALL the persistence mechanisms. We will explain in greater detail below, but the actors behind this attack really wanted to ensure their attack would survive a reboot, which begs the question of whether or not they considered that the world has moved on to containerized workloads &ndash; none of these persistence mechanisms would survive a container restart.</p>



<p>We started our analysis using the tool <em><a href="https://github.com/ssdeep-project/ssdeep">ssdeep</a></em> for fuzzy hashing, or comparing similar but not identical files. This allowed us to cluster the files we captured based on similarity. The invocation in the screenshot is telling <em>ssdeep</em> to group the files by similarity (<code>-g</code>), and to hash all of the files in the directory (<code>-d</code>). First, we found 10 files that were all the same binary. <strong>Turns out, they are copies of the malware itself.</strong> The remaining files were scripts used to execute the malware via different persistence mechanisms.</p>



<figure class="wp-block-image size-full"><a href="https://sysdig.com/wp-content/uploads/image1-61.png"><img decoding="async" width="674" height="596" src="https://sysdig.com/wp-content/uploads/image1-61.png" alt="Chaos Malware Quietly Evolves Persistence and Evasion Techniques " class="img-lightbox wp-image-68411 u-drop-shadow" title="image_tooltip" style="margin: auto" srcset="https://sysdig.com/wp-content/uploads/image1-61.png 674w, https://sysdig.com/wp-content/uploads/image1-61-350x309.png 350w, https://sysdig.com/wp-content/uploads/image1-61-175x155.png 175w, / 1w" sizes="(max-width: 674px) 100vw, 674px"></a></figure>



<h3>T1053.003 &#8211; scheduled task/job: cron</h3>



<p>First of all, we saw that persistence was achieved by copying itself to the file path <code>/etc/id.services.conf </code>and creating the file <code>/etc/32678</code>. This action remains unchanged from previous reporting and for this reason, we knew we were likely looking at Chaos. The<code> /etc/32678</code> file contains the following shell script:</p>


<pre class="wp-block-code" aria-describedby="shcb-language-1" data-shcb-language-name="Perl" data-shcb-language-slug="perl"><link rel="stylesheet" id="syntax-highlighting-code-block-css" href="https://sysdig.com/wp-content/plugins/syntax-highlighting-code-block/vendor/scrivo/highlight-php/styles/default.css?ver=1.4.0" type="text/css" media="all"><style>.wp-block-code {
	border: 0;
	padding: 0;
	-webkit-text-size-adjust: 100%;
	text-size-adjust: 100%;
}

.wp-block-code > span {
	display: block;
	overflow: auto;
}

.shcb-language {
	border: 0;
	clip: rect(1px, 1px, 1px, 1px);
	-webkit-clip-path: inset(50%);
	clip-path: inset(50%);
	height: 1px;
	margin: -1px;
	overflow: hidden;
	padding: 0;
	position: absolute;
	width: 1px;
	word-wrap: normal;
	word-break: normal;
}

.hljs {
	box-sizing: border-box;
}

.hljs.shcb-code-table {
	display: table;
	width: 100%;
}

.hljs.shcb-code-table > .shcb-loc {
	color: inherit;
	display: table-row;
	width: 100%;
}

.hljs.shcb-code-table .shcb-loc > span {
	display: table-cell;
}

.wp-block-code code.hljs:not(.shcb-wrap-lines) {
	white-space: pre;
}

.wp-block-code code.hljs.shcb-wrap-lines {
	white-space: pre-wrap;
}

.hljs.shcb-line-numbers {
	border-spacing: 0;
	counter-reset: line;
}

.hljs.shcb-line-numbers > .shcb-loc {
	counter-increment: line;
}

.hljs.shcb-line-numbers .shcb-loc > span {
	padding-left: 0.75em;
}

.hljs.shcb-line-numbers .shcb-loc::before {
	border-right: 1px solid #ddd;
	content: counter(line);
	display: table-cell;
	padding: 0 0.75em;
	text-align: right;
	-webkit-user-select: none;
	-moz-user-select: none;
	-ms-user-select: none;
	user-select: none;
	white-space: nowrap;
	width: 1%;
}
</style><span><code class="hljs language-perl shcb-wrap-lines"><span class="hljs-comment">#!/bin/sh</span>
<span class="hljs-keyword">while</span> [ <span class="hljs-number">1</span> ]; <span class="hljs-keyword">do</span>
<span class="hljs-keyword">sleep</span> <span class="hljs-number">60</span>
/etc/id.services.conf
Done</code></span><small class="shcb-language" id="shcb-language-1"><span class="shcb-language__label">Code language:</span> <span class="shcb-language__name">Perl</span> <span class="shcb-language__paren">(</span><span class="shcb-language__slug">perl</span><span class="shcb-language__paren">)</span></small></pre>


<p>The <code>/etc/32678</code> file was then executed by adding an entry to <code>crontab</code> and executing <code>cron -f</code>, which makes <em>cron</em> run in the foreground instead of background. The script will attempt to execute the malware while the <em>cron</em> program continues to run. This can be considered the malware&rsquo;s initial startup. Since running <em>cron</em> like this isn&rsquo;t persistent, the attacker resorts to a number of additional methods to ensure their malware comes back after a reboot or if it dies.</p>



<h3>T1554: compromise client software binary</h3>



<p>Chaos attempts to use the user and automated scripts as a persistence mechanism by trojaning common user binaries. When these binaries are executed, the main Chaos payload will be run. The original program is not called, so the expected behavior of the command would not occur. This tactic also has the side effect of making it difficult for a user to see what is happening on the system.</p>



<p>The files replaced are:</p>



<figure class="wp-block-table"><table class="table"><tbody><tr><td><code>/usr/bin/find</code></td></tr><tr><td><code>/usr/bin/dir</code></td></tr><tr><td><code>/usr/bin/ls</code></td></tr><tr><td><code>/usr/bin/ps</code></td></tr></tbody></table></figure>



<p>The Chaos malware does attempt to hide its presence in a rather uncommon way. Shell functions in the <code>gateway.sh</code> script, when placed in <code>/etc/profile.d/</code>, will run the users&rsquo; shell commands and filter out any sign of the malwares&rsquo; presence. The example below replaces the <code>find</code> command and uses <code>sed</code> to strip out its own filenames.</p>


<pre class="wp-block-code" aria-describedby="shcb-language-2" data-shcb-language-name="Perl" data-shcb-language-slug="perl"><span><code class="hljs language-perl shcb-wrap-lines">function find {
    proc_name=$(/usr/bin/find <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="684c28">[email&#160;protected]</a>) <span class="hljs-comment"># run the backdoored find with the original arguments specified by the user</span>
    proc_name=$(echo <span class="hljs-string">"$proc_name"</span> | sed -e <span class="hljs-string">'/32676/d'</span>)
    proc_name=$(echo <span class="hljs-string">"$proc_name"</span> | sed -e <span class="hljs-string">'/dns-tcp4/d'</span>)
    proc_name=$(echo <span class="hljs-string">"$proc_name"</span> | sed -e <span class="hljs-string">'/quotaoff.service/d'</span>)
    proc_name=$(echo <span class="hljs-string">"$proc_name"</span> | sed -e <span class="hljs-string">'/System.mod/d'</span>)
    proc_name=$(echo <span class="hljs-string">"$proc_name"</span> | sed -e <span class="hljs-string">'/gateway.sh/d'</span>)
    proc_name=$(echo <span class="hljs-string">"$proc_name"</span> | sed -e <span class="hljs-string">'/32676/d'</span>)
    . . . &lt;other IoCs here&gt;
    echo <span class="hljs-string">"$proc_name"</span>
}</code></span><small class="shcb-language" id="shcb-language-2"><span class="shcb-language__label">Code language:</span> <span class="shcb-language__name">Perl</span> <span class="shcb-language__paren">(</span><span class="shcb-language__slug">perl</span><span class="shcb-language__paren">)</span></small></pre>


<h3>T1546.004 &#8211; event triggered execution: unix shell configuration modification</h3>



<p>Files in <code>/etc/profile/ </code>set the environment variables at startup of the bash shell. The <code>/etc/profile.d/</code> directory contains other scripts that contain application-specific startup files, which are also executed at startup time by the shell. This is a common place attackers can place their own files in order to gain execution. In this case, it occurs when a shell is launched, such as when a user logs in to the system.</p>



<p>The attacker placed the <code>/etc/profile.d/bash_config.sh</code> file which contains:</p>


<pre class="wp-block-code" aria-describedby="shcb-language-3" data-shcb-language-name="Perl" data-shcb-language-slug="perl"><span><code class="hljs language-perl shcb-wrap-lines"><span class="hljs-comment">#!/bin/sh</span>
/etc/profile.d/bash_config</code></span><small class="shcb-language" id="shcb-language-3"><span class="shcb-language__label">Code language:</span> <span class="shcb-language__name">Perl</span> <span class="shcb-language__paren">(</span><span class="shcb-language__slug">perl</span><span class="shcb-language__paren">)</span></small></pre>


<p>This invokes the specified malware each time a new bash shell is spawned. Note that this is the ELF version of the malware, not another script.</p>



<h3>T1053.003 &#8211; scheduled task/job: cron</h3>



<p><em>Cron</em> is a system binary that is analogous to <em>scheduled tasks</em> for those coming from the Windows world. <em>Cron</em> allows attackers to ensure that their malware will be restarted after a certain time interval, increasing the persistence of the attack. The <code>crontab</code> file invokes the hidden file <code>.img</code>, which is a shell script that then calls the<code> libdlrpcld.so</code> file, which is yet another copy of the malware. The following <em>cron</em> entry will execute <code>.img</code> every minute.</p>


<pre class="wp-block-code" aria-describedby="shcb-language-4" data-shcb-language-name="Perl" data-shcb-language-slug="perl"><span><code class="hljs language-perl shcb-wrap-lines">*<span class="hljs-regexp">/1 * * * * root /</span>.img</code></span><small class="shcb-language" id="shcb-language-4"><span class="shcb-language__label">Code language:</span> <span class="shcb-language__name">Perl</span> <span class="shcb-language__paren">(</span><span class="shcb-language__slug">perl</span><span class="shcb-language__paren">)</span></small></pre>


<p>The <code>.img</code> file is a shell script which calls a copy of the malware, named<code> libdlrpcld.so </code>like so:</p>


<pre class="wp-block-code" aria-describedby="shcb-language-5" data-shcb-language-name="Perl" data-shcb-language-slug="perl"><span><code class="hljs language-perl shcb-wrap-lines"><span class="hljs-comment">#!/bin/sh\n/usr/lib/libdlrpcld.so                                                                </span></code></span><small class="shcb-language" id="shcb-language-5"><span class="shcb-language__label">Code language:</span> <span class="shcb-language__name">Perl</span> <span class="shcb-language__paren">(</span><span class="shcb-language__slug">perl</span><span class="shcb-language__paren">)</span></small></pre>


<h3>T1543.002 &#8211; create or modify system process: systemd service</h3>



<p><em>Systemd&rsquo;s</em> primary component is a &#8220;system and service manager&#8221; &ndash; an <em>init</em> system used to bootstrap user space and manage user processes. It also provides replacements for various daemons and utilities, including device management, login management, network connection management, and event logging. In this case, the attackers wrote a <em>systemd</em> service that will run the malware (here named <code>System.img.config</code>) on system <em>init</em>.</p>



<p>The file <code>/usr/lib/systemd/linux.service </code>was created by the attacker as a <em>systemd</em> service that executes the malware on boot:</p>


<pre class="wp-block-code" aria-describedby="shcb-language-6" data-shcb-language-name="Perl" data-shcb-language-slug="perl"><span><code class="hljs language-perl shcb-wrap-lines">$ cat linux.service
[Unit]
Description=linux
After=network.target
[Service]
Type=forking
ExecStart=<span class="hljs-regexp">/boot/</span>System.img.config
ExecReload=<span class="hljs-regexp">/boot/</span>System.img.config
ExecStop=<span class="hljs-regexp">/boot/</span>System.img.config
[Install]
WantedBy=multi-user.target </code></span><small class="shcb-language" id="shcb-language-6"><span class="shcb-language__label">Code language:</span> <span class="shcb-language__name">Perl</span> <span class="shcb-language__paren">(</span><span class="shcb-language__slug">perl</span><span class="shcb-language__paren">)</span></small></pre>


<h3>T1037 &#8211; boot or logon initialization scripts</h3>



<p>In Unix-based computer operating systems, <em>init</em> (short for initialization) is the first process started during booting of the operating system. <em>Init</em> is a daemon process that continues running until the system is shut down. It is the direct or indirect ancestor of all other processes and automatically adopts all orphaned processes. <em>Init</em> is started by the kernel during the booting process; a kernel panic will occur if the kernel is unable to start it. <em>Init</em> is typically assigned PID 1. Init scripts placed in the <code><em>/etc/init.d/</em></code> directory allow for users to write their own startup scripts or programs.</p>



<p>Below, you can see the threat actors behind Chaos leverage <em>init</em> scripts to ensure that their malware (here named <code><em>System.img.config</em></code>) will run on system startup. They used both <em>init.d</em> and <em>systemd</em> to better their chances of retaining persistence, presumably because they don&rsquo;t know in advance which system their target uses. The file used was: <code>/etc/init.d/linux_kill</code>. On boot, it will execute the <code>/boot/System.img.config</code> file, which is the Chaos malware.</p>


<pre class="wp-block-code" aria-describedby="shcb-language-7" data-shcb-language-name="Perl" data-shcb-language-slug="perl"><span><code class="hljs language-perl shcb-wrap-lines">cat linux_kill
<span class="hljs-comment">#!/bin/sh</span>
<span class="hljs-comment">### BEGIN INIT INFO</span>
<span class="hljs-comment">#chkconfig: 2345 10 90</span>
<span class="hljs-comment">#description:System.img.config</span>
<span class="hljs-comment"># Default-Start:	2 3 4 5</span>
<span class="hljs-comment"># Default-Stop:</span>
<span class="hljs-comment">### END INIT INFO</span>
/boot/System.img.config
<span class="hljs-keyword">exit</span> <span class="hljs-number">0</span>  </code></span><small class="shcb-language" id="shcb-language-7"><span class="shcb-language__label">Code language:</span> <span class="shcb-language__name">Perl</span> <span class="shcb-language__paren">(</span><span class="shcb-language__slug">perl</span><span class="shcb-language__paren">)</span></small></pre>


<h2 id="binary">Binary analysis</h2>



<p>During our investigation, we observed two versions of the Chaos malware which we will call 32678 and 32676. While the surrounding shell scripts were different and showed an evolution of tactics, the malware itself seems to have remained very similar. First, we used <em>ssdeep</em> to compare them, but as the results show below, they were not the same.</p>


<pre class="wp-block-code" aria-describedby="shcb-language-8" data-shcb-language-name="Perl" data-shcb-language-slug="perl"><span><code class="hljs language-perl shcb-wrap-lines">$ ssdeep ./files/System.mod ../chaos/files/System.img.config
ssdeep,<span class="hljs-number">1.1</span>--blocksize:hash:hash,filename
<span class="hljs-number">24576</span>:ae9ufJvk4gQjMNRfktnsIXvZFyD9i+MPCIxyuzNqssZXJjZbdYVVMtIwWz1v:WYMnwRO4ssPJd5Wz1,<span class="hljs-string">"/Users/nicholaslang/chaos_new/files/System.mod"</span>
<span class="hljs-number">49152</span>:E33d0lGt6UHcFL7Rn2o03wiEhiDmzzd/<span class="hljs-number">9</span>sARlBs/<span class="hljs-number">00</span>Cpfx9a9uNYp9hW16klbU6V:E33GlbU8FwmzzRDZ9mjqRV,<span class="hljs-string">"/Users/nicholaslang/chaos/files/System.img.config"</span></code></span><small class="shcb-language" id="shcb-language-8"><span class="shcb-language__label">Code language:</span> <span class="shcb-language__name">Perl</span> <span class="shcb-language__paren">(</span><span class="shcb-language__slug">perl</span><span class="shcb-language__paren">)</span></small></pre>


<p>Next, we measured the entropy, or randomness, of each binary and plotted them on a graph. Different types of data tend to have different levels of entropy; normal x64 code is less random than an encrypted executable. In order to obfuscate an executable, threat actors will often employ various methods to change the binary so the hashes no longer match, which we saw in this case.</p>



<figure class="wp-block-image size-large"><a href="https://sysdig.com/wp-content/uploads/image2-48.png"><img decoding="async" width="1170" height="441" src="https://sysdig.com/wp-content/uploads/image2-48-1170x441.png" alt="" class="img-lightbox wp-image-68412 u-drop-shadow" title="image_tooltip" srcset="https://sysdig.com/wp-content/uploads/image2-48-1170x441.png 1170w, https://sysdig.com/wp-content/uploads/image2-48-350x132.png 350w, https://sysdig.com/wp-content/uploads/image2-48-768x289.png 768w, https://sysdig.com/wp-content/uploads/image2-48-175x66.png 175w, https://sysdig.com/wp-content/uploads/image2-48.png 1237w, / 1w" sizes="(max-width: 1170px) 100vw, 1170px"></a></figure>



<p>The two versions of the Chaos malware (32676 and 32678, respectively) are extremely different when fuzzy-hashed with <em>ssdeep</em>, but the entropy graphs reveal very similar (near-identical) binary layouts. This suggests that the threat actor did attempt to obfuscate the binary between attacks, but their methods did not significantly alter the binary&rsquo;s structure. There are likely no major changes to its functionality either. This investigative technique makes it easier to identify additional Chaos variants.</p>



<h2 id="conclusion">Conclusion</h2>



<p>Chaos is either not being deployed very frequently, being miscategorized as its former Kaiji parent version and therefore ignored, or is not being found. Regardless, we were surprised to find so little information on what seems to be a fairly capable piece of malware. The authors of the malware have put more effort than most in trying to persist the malware across reboots and hide its presence.</p>



<p>Our analysis showed that there were several copies of the malware being used in the wild. There are also multiple persistence mechanisms for malware execution, an indication that the actor is thorough but not necessarily competent with containers. While a simple reboot in a containerized environment will rid you of this botnet, you should patch the initial access vector (likely a CVE) to truly rid yourself of this infection.</p>



<h2>IOCs</h2>



<p><strong>IP Addresses</strong>:</p>



<p>98.159.98[.]203</p>



<p>107.189.7[.]51</p>



<figure class="wp-block-table"><table class="table"><tbody><tr><td class="has-text-align-left" data-align="left"><strong>Filename</strong></td><td><strong>MD5 Hash</strong></td></tr><tr><td class="has-text-align-left" data-align="left"><strong>Attack 1</strong></td></tr><tr><td class="has-text-align-left" data-align="left">linux_386</td><td>14be5f004bc5e7a33c3057df92ad9a16</td></tr><tr><td class="has-text-align-left" data-align="left">bash_config</td><td>14be5f004bc5e7a33c3057df92ad9a16</td></tr><tr><td class="has-text-align-left" data-align="left">find</td><td>14be5f004bc5e7a33c3057df92ad9a16</td></tr><tr><td class="has-text-align-left" data-align="left">dir</td><td>14be5f004bc5e7a33c3057df92ad9a16</td></tr><tr><td class="has-text-align-left" data-align="left">id.services.conf</td><td>14be5f004bc5e7a33c3057df92ad9a16</td></tr><tr><td class="has-text-align-left" data-align="left">ls</td><td>14be5f004bc5e7a33c3057df92ad9a16</td></tr><tr><td class="has-text-align-left" data-align="left">System.img.confg</td><td>14be5f004bc5e7a33c3057df92ad9a16</td></tr><tr><td class="has-text-align-left" data-align="left">ps</td><td>14be5f004bc5e7a33c3057df92ad9a16</td></tr><tr><td class="has-text-align-left" data-align="left">system-monitor</td><td>14be5f004bc5e7a33c3057df92ad9a16</td></tr><tr><td class="has-text-align-left" data-align="left">libdlrpcld.so</td><td>14be5f004bc5e7a33c3057df92ad9a16</td></tr><tr><td class="has-text-align-left" data-align="left">32678</td><td>768eaf287796da19e1cf5e0b2fb1b161</td></tr><tr><td class="has-text-align-left" data-align="left">bash_config.sh</td><td>cfb4e51061485fe91169381fbdc1538e</td></tr><tr><td class="has-text-align-left" data-align="left">crontab</td><td>360878ce5edb3684950ebb0c138298f8</td></tr><tr><td class="has-text-align-left" data-align="left">linux.service</td><td>d80ccc7ced99538f22336f2ec0249087</td></tr><tr><td class="has-text-align-left" data-align="left">linux_kill</td><td>3909975f7cc0d1121c1819b800069f31</td></tr><tr><td class="has-text-align-left" data-align="left">.img</td><td>d73d3376908ea075a939e3871ad0fabe</td></tr><tr><td class="has-text-align-left" data-align="left"><strong>Attack 2</strong></td></tr><tr><td class="has-text-align-left" data-align="left">32676</td><td>47684525bfdf26f49fd1cf742b17c015</td></tr><tr><td class="has-text-align-left" data-align="left">bash_cfg</td><td>0db80699dcdf8372e0f813eaea8b5782</td></tr><tr><td class="has-text-align-left" data-align="left">bash_cfg.sh</td><td>3e32bcdce50da6c05127094b32e5401a</td></tr><tr><td class="has-text-align-left" data-align="left">cron</td><td>0e0a4a7372459b9c2d8f45baa40a64b3</td></tr><tr><td class="has-text-align-left" data-align="left">crontab</td><td>a60806d9e03c42cd3bd740cbfb6d4375</td></tr><tr><td class="has-text-align-left" data-align="left">dir</td><td>079b45463b8b7f66d9ec2c24b2853fbe</td></tr><tr><td class="has-text-align-left" data-align="left">find</td><td>b68ef002f84cc54dd472238ba7df80ab</td></tr><tr><td class="has-text-align-left" data-align="left">gateway.sh</td><td>b10f8b371ee7559987c4b29a4ac85e42</td></tr><tr><td class="has-text-align-left" data-align="left">hashes.txt</td><td>d12d6a5241cf180734dbe0b928c97798</td></tr><tr><td class="has-text-align-left" data-align="left">hwclock.sh</td><td>40e4f04e723fb5bee6df2327ea35254d</td></tr><tr><td class="has-text-align-left" data-align="left">libgdi.so.0.8.1</td><td>0db80699dcdf8372e0f813eaea8b5782</td></tr><tr><td class="has-text-align-left" data-align="left">linux_386</td><td>0db80699dcdf8372e0f813eaea8b5782</td></tr><tr><td class="has-text-align-left" data-align="left">ls</td><td>0db80699dcdf8372e0f813eaea8b5782</td></tr><tr><td class="has-text-align-left" data-align="left">opt.services.cfg</td><td>0db80699dcdf8372e0f813eaea8b5782</td></tr><tr><td class="has-text-align-left" data-align="left">procps</td><td>bea2bdfd5f7688d4f6e313dc63ca499d</td></tr><tr><td class="has-text-align-left" data-align="left">ps</td><td>0db80699dcdf8372e0f813eaea8b5782</td></tr><tr><td class="has-text-align-left" data-align="left">quotaoff.service</td><td>b02de6cd28cd922b18d9d93375a70d8b</td></tr><tr><td class="has-text-align-left" data-align="left">system-mark</td><td>0db80699dcdf8372e0f813eaea8b5782</td></tr><tr><td class="has-text-align-left" data-align="left">System.mod</td><td>0db80699dcdf8372e0f813eaea8b5782</td></tr></tbody></table></figure>
<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>

      </div>

    
  </div>
</div>



</div><!-- #content -->

<footer id="site-footer">

    
        <div class="site-footer--top">
            <div class="o-container container">
                <div class="row">
                    <div class="col-12 pt-12 pb-8 md:py-24">
                        <ul id="menu-footer" class="navbar-nav grid grid-cols-2 md:grid-cols-5 gap-5"><li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item"><a>Products</a>
<ul class="sub-menu">
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-post_type menu-item-object-page nav-item"><a href="https://sysdig.com/products/secure/">Sysdig Secure</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-post_type menu-item-object-page nav-item"><a href="https://sysdig.com/products/monitor/">Sysdig Monitor</a></li>
</ul>
</li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item"><a>Partners</a>
<ul class="sub-menu">
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="/partners/">Sysdig Partners</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-post_type menu-item-object-page nav-item"><a href="https://sysdig.com/deal-registration/">Deal Registration</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-post_type menu-item-object-page nav-item"><a href="https://sysdig.com/partnerships-contact/">Partner Signup</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-post_type menu-item-object-page nav-item"><a href="https://sysdig.com/partner-locator/">Partner Locator</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-post_type menu-item-object-page nav-item"><a href="https://sysdig.com/integrations/">Integrations</a></li>
</ul>
</li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item"><a>Company</a>
<ul class="sub-menu">
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="/about/">About Us</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="/company/leadership/">Leadership</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="/careers/">Careers</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="/newsroom/">Newsroom</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="/contact-us/">Contact Us</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="/legal/">Legal</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="/sitemap/">Sitemap</a></li>
</ul>
</li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item"><a>Support</a>
<ul class="sub-menu">
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="https://kb.sysdig.com/" target="_blank">Knowledgebase</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="https://docs.sysdig.com/" target="_blank">Documentation</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="https://cx.sysdig.com/s/web-to-case/" target="_blank">Submit a Ticket</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="/company/sysdig-status/" target="_blank">Sysdig Status</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="/support/customer-success/">Customer Success</a></li>
</ul>
</li>
<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children nav-item"><a href="#"><img width="122" height="44" src="https://sysdig.com/wp-content/uploads/logo-white.svg" class="attachment-full size-full" alt="" decoding="async" /></a>
<ul class="sub-menu">
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="https://twitter.com/sysdig" target="_blank">Twitter</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="https://github.com/draios" target="_blank">Github</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="https://slack.sysdig.com/" target="_blank">Slack</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="https://www.youtube.com/sysdig" target="_blank">Youtube</a></li>
	<li itemscope="itemscope" itemtype="https://www.schema.org/SiteNavigationElement" class="menu-item menu-item-type-custom menu-item-object-custom nav-item"><a href="https://www.linkedin.com/company/sysdig/" target="_blank">LinkedIn</a></li>
</ul>
</li>
</ul>                    </div>
                </div>
            </div>
        </div>

    
    <div class="site-footer--bottom py-5">
        <div class="o-container container">
            <div class="row">
                <div class="col-12">
                    <div class="inline-flex pr-0 pb-4 md:pr-12 md:pb-0">&reg; Copyright 2023 Sysdig,
                        Inc. All Rights Reserved.
                    </div>
                    <ul id="menu-footer-bottom" class="navbar-nav inline-flex flex-row"><li id="menu-item-69053" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-69053"><a href="/legal/privacy-policy/">Privacy Policy</a></li>
<li id="menu-item-55139" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-55139"><a target="_blank" rel="noopener" href="https://sysdig.com/legal/subprocessors/">Subprocessors</a></li>
<li id="menu-item-55140" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-55140"><a target="_blank" rel="noopener" href="https://sysdig.com/legal/trust-center/">Trust Center</a></li>
</ul>                </div>
            </div>
        </div>
    </div>

</footer>

</div><!-- #page --><script type='text/javascript' id='safe-svg-block-script-js-extra'>
/* <![CDATA[ */
var safe_svg_personalizer_params = {"ajax_url":"https:\/\/sysdig.com\/wp-admin\/admin-ajax.php","ajax_nonce":"51d725b166"};
/* ]]> */
</script>
<script type='text/javascript' src='https://sysdig.com/wp-content/plugins/safe-svg/dist/safe-svg-block-frontend.js?ver=556b801b5c62d7bda047' id='safe-svg-block-script-js'></script>
<script type='text/javascript' src='https://sysdig.com/wp-content/themes/sysdig/public/scripts/slick.min.js?ver=1.8.1' id='slick-js'></script>
<script type='text/javascript' src='https://sysdig.com/wp-content/themes/sysdig/assets/scripts/vendor/popper.min.js?ver=6.1.1' id='popper-js'></script>
<script type='text/javascript' src='https://sysdig.com/wp-content/themes/sysdig/assets/scripts/vendor/bootstrap.min.js?ver=4.0.0' id='sysdig-bootstrap-js'></script>
<script type='text/javascript' src='https://sysdig.com/wp-content/themes/sysdig/assets/scripts/vendor/ekko-lightbox.min.js?ver=20220602-1330' id='ekko-lightbox-js'></script>
<script type='text/javascript' src='https://www.youtube.com/iframe_api?ver=6.1.1' id='yt-iframe-api-js'></script>
<script type='text/javascript' id='v4-sysdig-main-js-extra'>
/* <![CDATA[ */
var sysdigLocalizedObject = {"ajaxUrl":"https:\/\/sysdig.com\/wp-admin\/admin-ajax.php","rest_url":"https:\/\/sysdig.com\/wp-json\/","nonce":"2854eb1aa3","nonce_chaos":"8bc14e2373","page_id":"68410"};
/* ]]> */
</script>
<script type='text/javascript' src='https://sysdig.com/wp-content/themes/sysdig/public/scripts/main-v4.js?ver=1680305615' id='v4-sysdig-main-js'></script>
<script type='text/javascript' src='https://sysdig.com/wp-content/themes/sysdig/public/scripts/rddl.js?ver=1672868000' id='v4-sysdig-rddl-js'></script>
<script type='text/javascript' src='https://sysdig.com/wp-content/themes/sysdig/assets/scripts/dev/components/rb-marketo-forms.js?ver=20230323-1112' id='marketo-forms-js'></script>
<script type='text/javascript' src='https://www.google.com/recaptcha/api.js?render=6LdNcz8cAAAAAJuTxEErvwDxSyMsMZTAgCJqmIov&#038;ver=2022-03-02' id='google-recaptcha-js'></script>
<script type='text/javascript' src='https://sysdig.com/wp-content/themes/sysdig/public/scripts/components/announcement-bar.js?ver=20230221-1053' id='announcement-bar-js'></script>
<script>window.lazyLoadOptions=[{elements_selector:"img[data-lazy-src],.rocket-lazyload",data_src:"lazy-src",data_srcset:"lazy-srcset",data_sizes:"lazy-sizes",class_loading:"lazyloading",class_loaded:"lazyloaded",threshold:300,callback_loaded:function(element){if(element.tagName==="IFRAME"&&element.dataset.rocketLazyload=="fitvidscompatible"){if(element.classList.contains("lazyloaded")){if(typeof window.jQuery!="undefined"){if(jQuery.fn.fitVids){jQuery(element).parent().fitVids()}}}}}},{elements_selector:".rocket-lazyload",data_src:"lazy-src",data_srcset:"lazy-srcset",data_sizes:"lazy-sizes",class_loading:"lazyloading",class_loaded:"lazyloaded",threshold:300,}];window.addEventListener('LazyLoad::Initialized',function(e){var lazyLoadInstance=e.detail.instance;if(window.MutationObserver){var observer=new MutationObserver(function(mutations){var image_count=0;var iframe_count=0;var rocketlazy_count=0;mutations.forEach(function(mutation){for(var i=0;i<mutation.addedNodes.length;i++){if(typeof mutation.addedNodes[i].getElementsByTagName!=='function'){continue}
if(typeof mutation.addedNodes[i].getElementsByClassName!=='function'){continue}
images=mutation.addedNodes[i].getElementsByTagName('img');is_image=mutation.addedNodes[i].tagName=="IMG";iframes=mutation.addedNodes[i].getElementsByTagName('iframe');is_iframe=mutation.addedNodes[i].tagName=="IFRAME";rocket_lazy=mutation.addedNodes[i].getElementsByClassName('rocket-lazyload');image_count+=images.length;iframe_count+=iframes.length;rocketlazy_count+=rocket_lazy.length;if(is_image){image_count+=1}
if(is_iframe){iframe_count+=1}}});if(image_count>0||iframe_count>0||rocketlazy_count>0){lazyLoadInstance.update()}});var b=document.getElementsByTagName("body")[0];var config={childList:!0,subtree:!0};observer.observe(b,config)}},!1)</script><script data-no-minify="1" async src="https://sysdig.com/wp-content/plugins/wp-rocket/assets/js/lazyload/17.5/lazyload.min.js"></script>	</body> 
</html>  	
</main><!-- #main --></div><!-- #primary -->